You are on page 1of 16

Cyberoam - EndPoint Data Protection

Version 3.20.1130
Installation Guide

Document version 3-1.0-10/17/2009


Cyberoam – EndPoint Data Protection User Guide

IMPORTANT NOTICE
Elitecore has supplied this Information believing it to be accurate and reliable at the time of printing, but is
presented without warranty of any kind, expressed or implied. Users must take full responsibility for their
application of any products. Elitecore assumes no responsibility for any errors that may appear in this document.
Elitecore reserves the right, without notice to make changes in product design or specifications. Information is
subject to change without notice.

USER’S LICENSE
The ‘Software Product’ (Product) described in this document is furnished under the terms of Elitecore’s End User
license agreement.

Please read these terms and conditions carefully before using the Product. By using this Product, you agree to be
bound by the terms and conditions of this license. If you do not agree with the terms of this license, promptly return
the unused Product and manual (with proof of payment) to the place of purchase for a full refund.

LIMITED WARRANTY
Software: Elitecore warrants for a period of ninety (90) days from the date of shipment from Elitecore: (1) the
media on which the Software is furnished will be free of defects in materials and workmanship under normal use;
and (2) the Software substantially conforms to its published specifications except for the foregoing, the software is
provided AS IS. This limited warranty extends only to the customer as the original licensee. Customer’s exclusive
remedy and the entire liability of Elitecore and its suppliers under this warranty will be, at Elitecore or its service
center’s option, repair, replacement, or refund of the software if reported (or, upon, request, returned) to the party
supplying the software to the customer. In no event does Elitecore warrant that the Software is error free, or that
the customer will be able to operate the software without problems or interruptions. Elitecore hereby declares that
the Endpoint Data Protection Suite may be powered by its Technology Vendor(s) from time to time, and the
performance thereof shall be under warranty provided by such Technology Vendor(s). It is specified that such
Technology Vendor(s) does (do) not warrant that the Software protects against all known threats to the Endpoint
Data, nor that the Software will not occasionally erroneously report a threat in a title not affected by that
threat.

Hardware: Elitecore warrants that the Hardware portion (if applicable) of the Elitecore Products excluding power
supplies, fans and electrical components will be free from material defects in workmanship and materials for a
period of One (1) year. Elitecore's sole obligation shall be to repair or replace the defective hardware at no charge
to the original owner. The replacement Hardware need not be new or of an identical make, model or part. Elitecore
may, at its discretion, replace the defective Hardware (or any part thereof) with any reconditioned product that
Elitecore reasonably determines as substantially equivalent (or superior) in all material respects to the defective
Hardware.

DISCLAIMER OF WARRANTY
Except as specified in this warranty, all expressed or implied conditions, representations, and warranties including,
without limitation, any implied warranty or merchantability, fitness for a particular purpose, non-infringement or
arising from a course of dealing, usage, or trade practice, and hereby excluded to the extent allowed by applicable
law. In no event will Elitecore or its supplier be liable for any lost revenue, profit, or data, or for special, indirect,
consequential, incidental, or punitive damages however caused and regardless of the theory of liability arising out
of the use of or inability to use the product even if Elitecore or its suppliers have been advised of the possibility of
such damages. In no event shall Elitecore’s or its supplier’s liability to the customer, whether in contract, tort
(including negligence) or otherwise, exceed the price paid by the customer. The foregoing limitations shall apply
even if the above stated warranty fails of its essential purpose.

In no event shall Elitecore or its supplier be liable for any indirect, special, consequential, or incidental damages,
including, without limitation, lost profits or loss or damage to data arising out of the use or inability to use this
manual, even if Elitecore or its suppliers have been advised of the possibility of such damages.

RESTRICTED RIGHTS
Copyright 1999-2009 Elitecore Technologies Ltd. All rights reserved. Cyberoam, Cyberoam logo are trademark of
Elitecore Technologies Ltd.
CORPORATE HEADQUARTERS
Elitecore Technologies Ltd.
904 Silicon Tower, Off. C.G. Road,
Ahmedabad – 380015, INDIA
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com , www.cyberoam.com

Page i of 16
Cyberoam – EndPoint Data Protection User Guide

Contents

Page
EndPoint Data Protection Installation
1.1 Basic Structure............................................................................................................... 4
1.2 Installation ……………………………………………………………………………………… 5
1.2.1 Database 5
Installation ……………………………………………………………………...............
1.2.2 Server and Console 7
Installation ………………………………………………………................
1.2.3 Server 8
Registration ……………………………………………………………………..................
1.2.4 Checkcode 9
Setting ………………………………………………………………………...............
1.2.5 Server 10
Log ………………………………………………………………………………..................
1.3 Agent Deployment …………………………………………………………………………….. 10
1.3.1 Direct 10
Installation ……………………………………………………………………….................
1.3.2 Remote 11
Installation ……………………………………………………………………..................
1.3.3 Logon Script Installation………………………………………………………….. 12
1.4 System Upgrade ……………………………………………………………………………….. 14
1.4.1 Server and Console 14
Upgrade …………………………………………………………................
1.4.2 Agent 14
Upgrade …………………………………………………………………………..................
1.5 Uninstall EndPoint Data 14
Protection ……………………………………………………………………………...
1.5.1 Uninstall EndPoint Data Protection Server and 14
Console ……………………………………………..................
1.5.2 Uninstall EndPoint Data Protection 14
Agent ………………………………………………………………................

Page ii of 16
Cyberoam – EndPoint Data Protection User Guide

Technical Support

You may direct all questions, comments, or requests concerning the software you purchased, your
registration status, or similar issues to Customer care/service department at the following address:

Corporate Office
eLitecore Technologies Ltd.
904, Silicon Tower
Off C.G. Road
Ahmedabad 380015
Gujarat, India.
Phone: +91-79-66065606
Fax: +91-79-26407640
Web site: www.elitecore.com

Cyberoam contact:
Email: support@cyberoam.com
Web site: www.cyberoam.com

Telephonic Support:

Region Toll Free Number Non Toll Free Number


North America +1-877-777-0368 +1-973-302-8446
Europe +44-808-120-3958 +44-203-355-7917
APAC +1-877-777-0368 +1-973-302-8446
Middle East & Africa +1-877-777-0368 +1-973-302-8446
India 1-800-301-00013 +91-79-66065777

Visit www.cyberoam.com for the regional and latest contact information.

Page iii of 16
Cyberoam – EndPoint Data Protection User Guide

EndPoint Data Protection Installation

1.1 Basic Structure

EndPoint Data Protection system consists of 3 different components: Agent, Server, and Console. The Agent is
installed on every computer. Server is used for database storage and Agent management. Its main function is to
manage the inspected data. Usually, the server should be installed on a server class computer with a large amount
of system memory and large hard disk capacity. Console is used to audit, control and monitor the computers with
Agent installed and examine the log history. In most cases, Console will be installed on the administrator’s computer
alone, but it can also be installed on the Server too. The basic structure is shown below:

Figure 2.1 Basic System Architecture of Cyberoam Endpoint Data Protection

Server functions

• Search the network periodically, handles all the computers with Agent installed and send policy
settings and commands to Agents.
• Collects Agent data and saves it to the database.
• Backup log history.
• Provide convenient log history management, such as, reading, archiving, and searching.

Console functions

• Provides the view of complete dashboard.


• Helps to create policies and view logs.
• For archiving and backup

Agent functions

• Collects and saves data periodically


• Sends the collected data to the Server periodically
• Controls the operation of the user and computer according to the system policy.

Page 4 of 16
Cyberoam – EndPoint Data Protection User Guide
1.2 System Requirements

Module Minimum System Requirement

Database SQL Server 2000 SP4 or above / SQL Server 2005 SP1 or above
MSDE SP4 / SQL Server 2005 Express

Server OS Win2000 SP4/XP SP2/2003 SP1/Vista & Windows 7(32 bit only)

Recommended Pentium 4 2GHZ/512MB Memory/50GB Hard disk space

Console OS Win2000 SP4/XP/2003/2008/Vista & Windows 7 (32 bit only)

Recommended Pentium III 1GHZ/256MB Memory/4 GB Hard disk space

Agent OS Win 2000/XP/2003/2008/Vista & Windows 7 (32 bit only)

Recommended Pentium III 500 MHZ/128MB Memory/1 GB Hard disk space

Table 2.1 System Requirements

Server & SQL Requirements

„ If the Server is installed on Windows 2000 SP4, please make sure the system is updated with service patch:
Win2000-KB891861-v2x86-*.exe

„ If you are using Microsoft Server 2000, please make sure that the system is updated with Service Pack 4:
SQL2000-KB884525-SP4x86-ENU.exe

1.2 Installation

1.2.1 Database Installation

Prior to the installation of End Point Data Protection server, database must be installed. The product supports SQL
Server 2000 SP4 or above, SQL Server 2005 SP1 or above for database. Cyberoam Endpoint Data Protection by
default comes with Microsoft SQL Server Desktop Engine (MSDE) which is free.

We suggest installing Microsoft SQL Server 2005 Express Edition for Vista & Windows 7 users.

SQL Server Limitations

„ The limitation of Database size on free MSDE and SQL Express 2005 are 2G and 4G respectively.
With this limitation, it would affect the stabilities of server. We strongly recommend using Enterprise
version if there are many agents and too much data has to be stored in the database.

„ Please ensure that SQL Server 2000 is installed together with SP4, and SQL Server 2005 is installed
together with SP1. If any errors are encountered in the EndPoint Data Protection server’s boot up
process, please go to the Windows Control Panel Æ Administrative Tools Æ Event Viewer Æ
Application Log to confirm the version of SQL Server

Page 5 of 16
Cyberoam – EndPoint Data Protection User Guide

SQL Server 2005 Express Installation

We recommend installing Express Edition with Advanced Service version. To download, Click this link:

http://www.microsoft.com/Sqlserver/2005/en/us/express.aspx

[Prerequisite]

1. IIS 5.0 or above

If your Windows does not install with IIS, please go to Windows Control Panel Æ Add or Remove
Programs Æ Add or Remove Windows Components to install IIS

2. .NET Framework 2.0

Please go to Microsoft website to download .NET Framework 2.0 (x86) and install

3. Windows Installer 3.1

Please go to Microsoft website to download Windows Installer 3.1 and install

Installation Procedure

1. Download SQL Server 2005 Express Edition with Advanced SP1 from Microsoft. Double click the
SQLEXPR_ADV.EXE to start the setup. After reading and accepting the End User License Agreement, click
Next to continue

2. Prior to installing SQL Server, there are a few software components that are required to be installed. Click
Next to continue SQL Server setup when all required components are installed.

3. All necessary conditions are listed. Click Next to continue

4. In the Registration Information windows, unclick the option Hide advanced configuration options. Click
Next to continue

5. In the Feature Selection windows, make sure Management Studio Express is selected. Click Next to continue

6. In the Instance Name windows, make sure Default Instance is selected. If another option is selected, then
ENDPOINT DATA PROTECTION server would not start up properly.

7. In the Service Account windows, select Use the built-in System account and then select Local system. Click
Next to continue.

8. The remaining parts should be followed by the default settings until the installation completed.

9. Open the SQL Server Configuration Manager from Start Æ All Programs Æ Microsoft SQL Server 2005 Æ
Configuration Tools Æ SQL Server Configuration Manager

10. In the left panel, expend the SQL Server 2005 Network Configuration and then click the Protocols for
MSSQLSERVER. Also double click Named Pipes to make the status Enabled.

Page 6 of 16
Cyberoam – EndPoint Data Protection User Guide

Figure 2.2 SQL Server Configuration

11. If it is not enabled; expand the SQL Native Client Configuration and then click the Client Protocols. Double
click Named Pipes to make the status Enabled.

1.2.2 Server and Console Installation

Make sure the SQL Server or MSDE is started up, before server and console installation.

1) Double click EndPoint Data Protection.exe. Select the installation language, and then click Next.

2) Main installation interface would be visible. Then, Click Next.

3) The installation process prompts the default installation path. Users can also select another path for
installation. Please select a partition with a larger storage size for EndPoint Data Protection server
installation.

4) The installation process prompts the types and components and users can select EndPoint Data
Protection server and console. Then, Click Next.

5) Select the path of short-cut inside the “Start menu”. Click Next.

6) After verifying the settings, click Install and wait for the installation process to complete. Then, click Finish
to end the installation. The server will startup and the EndPoint Data Protection Service Manager will
be displayed on the task bar.

Event Viewer helps trace the installation problems

During the server installation, installation process will determine the operation system and the version of
the SQL Server. If the installation is not successful, please check the error message in Windows Event
Viewer Æ Application to analyze the problems.

Page 7 of 16
Cyberoam – EndPoint Data Protection User Guide

1.2.3 Server Registration

EndPoint Data Protection will generate a trial key for 30-days trial at the first time installation, the serial
number is composed of 6 groups of 4 digits string.

Figure 2.3 Server Registration

How to register the server

1. Right click EndPoint Data Protection Service ManagerÆToolsÆRegister, and then input
administrator password to enter the registration interface

2. Click the Upgrade button. The serial number text field becomes editable, and input the licensed serial
number

3. Click Confirm button to confirm the input serial number. If the input is correct, system will pop up a
confirmation dialogue and remind you to activate the system. You have to register the product to obtain the
register ID. Only with valid register ID input, the whole registration procedure of initial stage is completed.

There are two methods to complete the registration:

1. Online Please fill in the product registration information with Company Name, Contact Person,
Contact Number and email address. Click Register Online button, then the Register ID
will be returned and displayed in the Register ID [RID] field.

Page 8 of 16
Cyberoam – EndPoint Data Protection User Guide

A dialogue box with system message showed will pop up to confirm the registration. Click
Close button to leave the registration interface.

2. Email Please fill in the product registration information with Company Name, Contact Person,
Contact Number and email address. Click Send Email button.

Email will be sent to your registered email address with Register ID. Please copy and
paste the Register ID into Register ID [RID] field, and then click Register button to
confirm the registration.

A dialogue box with system message will pop up to confirm the registration. Click Close
button to leave the registration interface.

Table 2.2 Registration Methods

About Registration

„ If your server cannot connect to Internet, please email us with your Serial Number [SN] and
Product ID [PID]. We will help you process the registration individually.

1.2.4Checkcode Setting

Checkcode is a unique identifier between server and agent. The checkcode stored in agent must be matched
with server’s checkcode, and then the server is granted to manage the agent. In case of more than one server
running at the same time in a network, this avoids the agent being managed by another server which may not
belong to its original parent server. So, we highly recommend the system administrator to first set the
checkcode before deploying any agents.

Figure 2.4 Set Checkcode

How to set Checkcode

After the server starts up at the first time, right click the Service Manager icon and select from the popup
menu ToolsÆCheckcode. System would request to input administrator login and password before setting
the Checkcode. To confirm the setting, please input the Checkcode twice. Click OK button to complete the
setting.

The default Checkcode is empty. Once the checkcode is new set, reset or updated, this data will be updated
to connected agents automatically.

About Checkcode

„ System Administrator has to memorize or record this Checkcode in the safe place. In case the
operating system is required to be re-installed or EndPoint Data Protection is required to install on
a new server, the last Checkcode must be input after the re-installation completed. Otherwise,
those existing agents could not be connected to the new setup server because their checkcode are
Page 9 of 16
Cyberoam – EndPoint Data Protection User Guide
not matched. In this case, all agents must be re-installed.

„ If agents does not appear in the Console, please go to EndPoint Data Protection Console Æ
Events Log Æ System to check whether it is checkcode error or not

1.2.5 Server Log

To examine the EndPoint Data Protection server activity in details, please go to Windows Event Log. System
Administrator may use the information to analyze the server problems.

Figure 2.5 View Event Logs

How to view the server logs

Right click the Service Manager popup menu Tools Æ Event Log. Click the Application from the
left-hand-side panel of the Event Viewer to check the OSERVER3 process logs including the startup, stop or
error status of oserver3.exe.

1.3 Agent Deployment

There are two installation methods to install agents: Direct, and Remote. Depends on the deployment
environment, system administrator can choose either one for the agent deployment.

1.3.1 Direct Installation

To generate executable agent program, on EndPoint Data Protection server, go to Start Æ All Programs Æ
Cyberoam EndPoint Data Protection SuiteÆ Agent Install Generator. Refer the below screenshot

Figure 2.6 Agent Generator

Input the following fields, finally click Create Setup File button to generate the agent program.

Server IP Address • Default is the IP of the local machine. If more


than one IP addresses, you can input using
comma “,” to separate the IPs e.g.
Page 10 of 16
Cyberoam – EndPoint Data Protection User Guide
192.168.1.223, 58.177.209.222
• Static IP or Dynamic DNS is allowed to input

Setup File Full Path Input or Select the path and filename of the Agent setup
file to be created

Silent Mode • If selected, no user interface will show up during


[optional] installation

Login & Password You need the administrator privileges to create the agent
[optional] program

Table 2.3 Settings of Agent Generator

1.3.2 Remote Installation

How to install agents remotely

Using Remote Installation tool, administrator can help to install agents remotely. On the EndPoint Data
Protection server, click Start Æ All Programs ÆCyberoam EndPoint Data Protection Suite Æ Agent
Remote Installer to start the installation.

1. Scanning Settings

By default, the system scans all computers from EndPoint Data Protection server’s network segment. If
you want to extend the searching area, go to File Æ Scanning Settings. In the opened dialogue, you
can add the IP range.

2. Color Representation of the computer icons

Icon Color Window Window Online Agent


NT4.0/2000/XP/Win7 95/98/ or not Installed
me or not

Deep blue Yes No Yes No


Deep blue No Yes Yes No
Gray Yes No No No
Gray No Yes No No
Light Blue Yes No Yes Yes
Light Blue No Yes Yes Yes

Table 2.4 Color Representation of the computer icons

3. Installation

Click the computers on which you would like to install the agent. After selecting the computer, go to
Operation Æ Install to start the installation. During installation, the administrator login and password are
required if the current logon session is not administrator. The near bottom panel shows the details of
installation status and if any failures happened, the panel will show you the description and corresponding
error code.

FAQ

If failure occurs during remote installation, check if the following items are available in your targeted
computer:
1) If the current logon session does not grant administrator rights, at this time the system would pop up a
dialogue box requesting the login account and password with administrator rights.

2) Check ADMIN$ share is opened or not. Go to DOS Command Promote and type: net share command
to see whether ADMIN$ is already opened or not. If not, then type net share ADMIN$ to invoke this

Page 11 of 16
Cyberoam – EndPoint Data Protection User Guide
function

3) Check any shared folders function is available. If not, please try to share a folder to invoke this function.

For example, right click a folder, select Properties Æ Sharing. Then Select Share this folder. Input Share
name and define permission. Click OK to invoke the shared folder function

About Agent Installation

„ This installation method only works on Windows NT4.0/2000/XP. If you need to install agents on
Windows 9x/ME, you have to use Direct Installation method.

„ Because of some local security policies settings in Windows NT it may affect the normal
operations, and does not guarantee 100% for remote installation method. If you have followed the
above steps but still failed, we would recommend using Direct Installation method.

1.3.3 Logon Script Installation

How to install agent on remote computers through logon script in a Domain based environment?

Step 1

Create Setup File

Navigate to “Agent Installation Generator” under Start Æ All Programs Æ Cyberoam Endpoint Data
Protection Suite.

Create the manual setup file “Agent.exe” as below:

Note: Please, make sure that you tick “Silent Installation” and specify the Domain Administrator Details.

Page 12 of 16
Cyberoam – EndPoint Data Protection User Guide

Step 2

Copy the Agent.exe in the Netlogon folder on the server.

Note: Netlogon folder can be found at \\adsservername\netlogon. Replace <adsservername> with Active
Directory’s Server name or IP.

Step 3

Logon Script

Please, follow Step 3.1 if you do not have a logon script.

Step 3.1 Create a batch file (logonscript.bat) in the Netlogon folder on the server and paste the below
lines in the batch file.

START \\adsservername\netlogon\agent.exe

Note: Replace the <adsservername> with the Active Directory’s Computer Name or IP.

If you already have a logon script please, follow Step 3.2.

Step 3.2 Update the existing logon script with the below line.

START \\adsservername\netlogon\agent.exe

Note: Replace the <adsservername> with the Active Directory’s Computer Name or IP.

Step 4

Attach logonscript.bat to Profile if the script is not already attached.

On the next login attempt by the user, the agent will be installed on the end user’s machine and would be
visible in the EPDP Console after a few minutes.

Page 13 of 16
Cyberoam – EndPoint Data Protection User Guide
1.4 System Upgrade

1.4.1 Server and Console Upgrade

It is easy to upgrade server and console using our Upgrade pack.

1. Go to Windows Control Panel Æ Administrative Tools Æ Service to stop the following two services:
OCULAR V3 SERVER and OCULAR V3 UPDATE

2. Go to task manager Æ Process. Stop the service manager OControl3.exe and console
OConsole3.exe

3. Now you can start the upgrade process by executing the upgrade program. In the upgrade program, you
can see your current version and upgrade version details. Click Upgrade button to start or you can
upgrade using EndPoint Data Protection full package to replace the existing one completely.

4. After the completion, go to Windows Control Panel Æ Administrative Tools Æ Service to start the
OCULAR V3 SERVER and OCULAR V3 UPDATE manually. (If you are using EndPoint Data Protection
full package method, the server will start up automatically)

1.4.2 Agent Upgrade

Once the server is upgraded successfully, the corresponding agents will be upgraded automatically. The agent
machine must be restarted to complete the system upgrade.

1.5 Uninstall EndPoint Data Protection

1.5.1 Uninstall EndPoint Data Protection Server and Console

1. Close all running Console.

2. Go to All Programs Æ EndPoint Data Protection Æ Uninstall EndPoint Data Protection to uninstall
EndPoint Data Protection or go to Control Panel Æ Add/Remove Program to uninstall EndPoint Data
Protection

Uninstall agents before uninstalling EndPoint Data Protection

If you want to remove all EndPoint Data Protection agents, Console and Server, please delete all agents
first using Console before removing EndPoint Data Protection. Otherwise, the agents are still running in
every computer installed with EndPoint Data Protection agent even if the EndPoint Data Protection
Server is removed

1.5.2 Uninstall EndPoint Data Protection Agent

To uninstall EndPoint Data Protection agents, you can either do it from EndPoint Data Protection Console or
agent side machine. Once the agent is uninstalled, that agent will not be guarded by EndPoint Data Protection
anymore unless the agent is re-installed.

From EndPoint Data Protection Console

1. Select the agent from The Whole Network tree that you want to uninstall. If you want to uninstall all
agents at a time, please click The Whole Network.

2. After selecting, there are 3 ways to uninstall the agent:

a) From the toolbar, select Control Æ Uninstall Agent or

b) Right click the agent from The Whole Network. Then select Control Æ Uninstall Agent from the
menu.

c) Go to Tools Æ Computers, and click the Uninstall or Delete button

*Note - Difference between the function of Uninstall and Delete button


Page 14 of 16
Cyberoam – EndPoint Data Protection User Guide

o Uninstall button: The agent is uninstalled without releasing agent license


o Delete button: The agent is uninstalled and also releases agent license

Figure 2.8 Uninstall Agent


From Agent side

Below mentioned are steps for uninstallation, for agents that cannot connect to EndPoint Data Protection
server. (i.e. the agent in offline mode).

1. Go to Start Æ Run, type agt3tool ocularadv command


2. Select Uninstall Agent and then click Generate button
3. Inform your System Administrator about the Operate Code showed in the Check confirm code
dialog box
4. When a System Administrator gets the Operate Code, go to EndPoint Data Protection Console Æ
Tools Æ Agent Tool Æ Confirm-Code Generator. Input the Operate Code in the field of Agent
Operate Code. Then click the Parse button, and the agent information will be showed in the bottom
textbox.
5. Click the Generate button. The Confirm Code in Blue color will be shown in the Confirm Code
Information box. The System Administrator should tell the Confirm Code to the agent user.
6. Once the agent user gets the Confirm Code, he keys it in the field of Confirm Code to process the
un-installation immediately.

About Agent Un-installation

Note* - Uninstalled agent do not exactly delete the agent as the agent license has not been released, as
mentioned in the above methods. If you only uninstall the agent, the agent will still appear in the
EndPoint Data Protection Console (i.e. The Whole Network tree) and its icon are displayed in dark
gray color as shown in the above screen shot. To delete the agent completely:

1. Go to EndPoint Data Protection Console Æ Tools Æ Computers. Select the agent from the list that
you want to delete completely.

2. Click Delete button. This action implies that the agent is completely deleted and removed from
EndPoint Data Protection.

Below mentioned are the steps to check the agent is deleted completely or not:
• The agent should not appear in The Whole Network Tree.

• Go to EndPoint Data Protection Console Æ Tools Æ Computers. Here, the agent should not
be listed and the total number of licenses should also be decreased.

Page 15 of 16